My Security Bounty
I maintain a standing bounty of $100
Many people who are into security do so because they enjoy it; see for example the game of Capture the Flag, which is often played for free. If you're the sort of person who enjoys such things, I'd encourage you to think of this as entertainment, with the bounty being a negligible bonus. If you find yourself less motivated to do something for $100 than for $0, that likely means you're falling prey to an irrational cognitive bias, the overjustification effect.
For my convenience, I will only guarantee payment via Paypal or Wise. If you strongly prefer another payment method (e.g. crypto) I will consider it, but I reserve the right to refuse if it poses too much of a hassle.
You have my permission to exploit any active or passive avenue against me to demonstrate such a vulnerability, such as hacking my websites, lying to me, planting physical devices on me, sending me phishing emails, using social engineering to get my friends to divulge private information, etc. (Subject to the restrictions in point #3 below.)
A vulnerability must meet the following criteria to qualify:
1. It has the potential to cause significant harm. For example, discovering the password to my main Facebook account would qualify, because a bad actor could use my reputation to scam my friends out of thousand of dollars. Discovering my password to a disused forum account I haven't touched in 15 years would likely not qualify. In the event you discover a vulnerability that falls short of this bar, I would still appreciate knowing about it, and will consider a partial bounty if you tell me about it.
2. It is not already sufficiently handled by existing systems. For example, I am aware that someone could show up to my house with a gun and kill me, but I believe this is adequately disincentivized by the criminal penalties for doing so. (Though if I were to become significantly famous for some reason, that may stop being the case.) As another example, I am aware that a malicious actor could DDOS my websites to take them offline, but I believe this is handled by the low probability of anyone caring enough about them to do so, and the fact that if they do I can add protection when it happens with no lasting impact. In general, you will receive a bounty if and only if I decide that mitigating action is necessary after you share your findings with me.
3. You must not actually cause any significant harm to me or others. For example, wasting a few minutes of my time with phishing emails is fine, but taking one of my websites offline for more than a minute or two is not acceptable. My friends and family are generally reasonable people and likely won't mind if you manipulate them in service of helping me discover such vulnerabilities, but I cannot guarantee this, and I may decline the bounty if you cause any of them significant distress and I don't think they're being unreasonable. (Manipulating me personally is always fine short of extreme circumstances like somehow causing me lasting psychological damage.)
4. You must explain fully how you performed the attack, including every detail I ask for. In the event that you are unwilling to share certain details, I will consider a reduced bounty provided you at least share enough details for me to mitigate the problem.
5. I have the chance to re-evaluate the situation in between each bounty. For example, if you discover 5 unrelated vulnerabilities, I will only guarantee the first $100, not $500. (In most cases I would probably pay the other $400 as well, but am including this rider to prevent myself from being subject to owing people arbitrarily large amounts of money in the event my security is somehow really bad, or in case my financial situation deteriorates to the point where I cannot afford to pay multiple bounties at once.)
Record of past attempts
In 2022 I a version a version of this challenge on Manifold Markets. Someone quickly found my home address, winning the challenge. Given the difficulty of hiding that information whilst using my real identity online, I now no longer consider my home address sensitive information.
Shortly afterwards I posted an updated version of the challenge that didn't include home address. No one completed it.
In March 2025 I created this bounty page and posted it on r/pentesting. u/pldc_bulok noticed that my trivia controller let anyone submit strings to display on the trivia page, and these strings could contain Javascript, allowing for a trivial XSS attack. I paid them $100 as thanks for pointing out my stupidity, and fixed the issue.
